windealer | ecd001aeb6bcbafb3e2fda74d76eea3c0ddad4e6e7ff1f43cd7709d4b4580261

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecd001aeb6bcbafb3e2fda74d76eea3c0ddad4e6e7ff1f43cd7709d4b4580261.exe
Size

448KB
MD5

76ba5272a17fdab7521ea21a57d23591
SHA1

6b831413932a394bd9fb25e2bbdc06533821378c
SHA256

ecd001aeb6bcbafb3e2fda74d76eea3c0ddad4e6e7ff1f43cd7709d4b4580261
SHA512

61dbf7fc1e2e5030a9c868edef37d9bd2a9e0ae96de87087929dce451e49df283089906c1fee619a7a53762f6d85f2802364a0ce0aa90d8cfc2153d79596075e
SSDEEP

6144:d9eE+BSAOxVxkRqEavXcboOGQoEZu77RaXZDs0DZ186LxSp6TyD61:CEPxxVxkRqdvOiQTA2Ds0N1XLxSOyu

Score

10^/10

windealer stealer trojan

Malware Config

Signatures

Detect WinDealer information stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1712-0-0x0000000010000000-0x000000001003B000-memory.dmp	family_windealer
behavioral1/memory/1712-7-0x0000000010000000-0x000000001003B000-memory.dmp	family_windealer
behavioral1/memory/1712-6-0x0000000010000000-0x000000001003B000-memory.dmp	family_windealer
behavioral1/memory/1712-5-0x0000000010000000-0x000000001003B000-memory.dmp	family_windealer

WinDealer
WinDealer is an info stealer used by LuoYu group.
stealer trojan windealer

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ecd001aeb6bcbafb3e2fda74d76eea3c0ddad4e6e7ff1f43cd7709d4b4580261.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ecd001aeb6bcbafb3e2fda74d76eea3c0ddad4e6e7ff1f43cd7709d4b4580261.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ecd001aeb6bcbafb3e2fda74d76eea3c0ddad4e6e7ff1f43cd7709d4b4580261.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ecd001aeb6bcbafb3e2fda74d76eea3c0ddad4e6e7ff1f43cd7709d4b4580261.exe

pid	process
1712	ecd001aeb6bcbafb3e2fda74d76eea3c0ddad4e6e7ff1f43cd7709d4b4580261.exe
1712	ecd001aeb6bcbafb3e2fda74d76eea3c0ddad4e6e7ff1f43cd7709d4b4580261.exe

C:\Users\Admin\AppData\Local\Temp\ecd001aeb6bcbafb3e2fda74d76eea3c0ddad4e6e7ff1f43cd7709d4b4580261.exe
"C:\Users\Admin\AppData\Local\Temp\ecd001aeb6bcbafb3e2fda74d76eea3c0ddad4e6e7ff1f43cd7709d4b4580261.exe"
1⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1712-0-0x0000000010000000-0x000000001003B000-memory.dmp

Filesize
236KB

Download
memory/1712-7-0x0000000010000000-0x000000001003B000-memory.dmp

Filesize
236KB

Download
memory/1712-6-0x0000000010000000-0x000000001003B000-memory.dmp

Filesize
236KB

Download
memory/1712-5-0x0000000010000000-0x000000001003B000-memory.dmp

Filesize
236KB

Download